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Problem  Scope 


Overall  Goal: 

Develop  methods  and  tools  for  designing  control  policies,  specifying  the 
properties  of  the  resulting  distributed  embedded  system  and  the 
physical  environment,  and  proving  that  the  specifications  are  met 


Specification 

•  How  does  the  user  specify— in  a  single  formalism— continuous  and 
discrete  control  policies,  communications  protocols  and  environment 
models  (including  faults)? 

Design  and  reasoning 

•  How  can  engineers  reason  that  their  designs  satisfy  the  specifications? 

•  In  particular,  can  engineers  reason  about  the  performance  of 
computations  and  communication,  and  incorporate  real-time 
constraints,  dynamics,  and  uncertainty  into  that  reasoning? 

Implementation  and  verification 

•  What  are  the  best  ways  of  mapping  detailed  designs  to  hardware 
artifacts,  running  on  specific  operating  systems?  What  languages  are 
suitable  for  specifying  systems  so  that  the  specifications  can  be  verified 
more  easily? 
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(Some)  Accomplishments  and  Lessons  to  Date 


Lyapunov  (-like)  functions  continue  to  be  a  powerful  tool 

•  Allows  us  to  reason  about  entire  sets  of  continuous  variables 

-  system  properties  — ►  algebraic  conditions 

•  Can  also  capture  problems  in  discrete  transition  systems 

-  lexicographically-ordered  Lyapunov  fens  for  graph  grammars 

•  Powerful  new  tools  (based  on  SOS)  are  making  reasoning  easier 

-  non-monotonic  Lyapunov  functions,  ROA  estimates,  ... 

Use  temporal  logic  for  specification  at  higher  levels  of  abstraction 

•  Allows  descriptions  of  proper  behavior  on  execution  sequences 

•  Model  checking/theorem  proving  provide  tools  for  verifying  behavior 

-  PVS,  SPIN,  TLC,  SBT  Checker/lnveriant,  TLV,  ... 

•  “LTL  should  be  part  of  every  control  engineer’s  knowledge  basis” 

Asynchronous  behavior  via  guarded  command  languages 

•  Guarded  command  languages  allow  good  description  of  distributed 
operation  with  no  globally  synchronized  clock 

•  Can  reason  about  asynchronous  behavior  using  LTL  formalisms 

•  CCL  with  rates  to  describe  stochastic,  multi-rate  systems 
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Example:  Verification  for  Autonomous  Systems 


2.  cpian  for  executing  turn 
(initiated  after  stop  -+  car  check) 


travel  direction 
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1.  cpian  leading  to  intersection 
(stops  at  end) 


3.  cpian  for  parking  aone 


4’.  new  cpian  after 
detecting  roadblock 


pi 


4 


omnidirectional  travel 


4.  initial  cpian  to  checkpoint 


How  do  we  design  control  protocols  that  manage  behavior 

•  Mixture  of  discrete  and  continuous  decision  making 

•  Insure  proper  response  external  events,  with  unknown  timing 

•  Design  input  =  specification  +  model  (system  +  environment) 

•  Design  output  =  finite  state  machine  implementing  logic 

Approach:  rapidly  explore  all  trajectories  satisfying  specs 

•  Search  through  all  possible  actions  and  events,  discarding 
executions  that  violate  a  set  of  (LTL)  specifications 

•  Issue:  state  space  explosion  (especially  due  to  environment) 

•  Good  news:  recent  results  in  model  checking  for  class  of  specs 
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Receding  Horizon  Control  for  Linear  Temporal  Logic 


Find  planner  (logic  +  path)  to  solve  general  control  problem 

•  cpinit  =  init  conditions 

•  cpe  =  envt  description 


(jpinit  A  I— I Pe)  ^  (I— I Ps  A  §Pg) 


cps  =  safety  property 
cpg  =  planning  goal 


•  Can  find  automaton  to  satisfy  this  formula  in  0((nm\l\3)  time  (!) 

Basic  idea 

•  Discretize  state  space  into  regions  {Vj  +  interconnection  graph 

•  Organize  regions  into  a  partially  ordered  set  {WJ;  Wj  ^ g  Wi 
=>  if  state  starts  in  Wi ,  must  transition  through  Wj  on  way  to  goal 

•  Find  a  finite  state  automaton  At  satisfying 

=((v  eWi)  A  $  A  Ope)  =>  (□<?«  A  0(v  €  Wgi)  A  □$) 

-  O  describes  receding  horizon  invariants  (eg,  no  collisions) 

-  Automaton  states  describe  sequence  of  regions  we  transition 
through;  Wgi  —<t>g  Wi  is  intermediate  (fixed  horizon)  goal 

-  Planner  generates  trajectory  for  each  discrete  transition 

-  Partial  order  condition  guarantees  that  we  move  closer  to  goal 

Properties 

•  Provably  correct  behavior  according  to  spec 
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Comments  and  Example 
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Comments  and  caveats 

•  Automaton  synthesis  is  basically  searching  thru  all  feasible  trajectories  (efficiently) 

•  Complexity  is  polynomial,  but  can  still  get  large  =>  receding  horizon  is  a  huge  help! 

•  Discretization  of  the  state  space  is  important  and  non-trivial 


Example:  driving  down  a  lane  with  unknown  obstacles 
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Transition  Paths  and  Next  Steps 


Transition  activities 

•  Hands-on  workshop:  DoD,  NASA,  industry 

•  DARPA/industry  Multi-Scale  Systems 
Center 

-  Working  with  UTC  and  Raytheon 

-  Python-based  toolkit  for  RHTLP 

Next  steps 

•  Optimization-based  methods 


TRADITIONAL 
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-  How  do  we  include  cost  in  solutions? 


•  Structured  synchronization 

-  Typically  assume  very  little  structure  in 
asynchronous  processes  =>  hard  to 
verify 

-  How  do  we  allow  some  synchronized 
behavior,  but  not  completely  sync’d? 

•  Distributed  synthesis 


APU  Generator 


28  Vdc  Wire 


115  Vac  Feeder 


Power 


115  Var 


•  ■ 


I  x  1 20  kVA 


Remote  Power 
DistrtMJtion  Unit 


External  Power 
2x115  Vac,  90 


Forward  E/E  Bay 


230  Vac  Feeder 


Generator 
2x250  KVA 


How  do  we  design  provably  correct, 
distributed  planners? 


Centralized  Distribution: 
Circuit  Breakers,  Relays, 
and  Contactors 


Remote  Distribution: 

Solid-State  Power  Controllers  and 
Contactors 


MuSyC  kickoff,  Nov  09 


Richard  M.  Murray,  Caltech  CDS 
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Distributed  Embedded  Systems 
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Autonomous  vehicles  I 

Battlespace  management  systems 


APPROACH/TECHNICAL  CHALLENGES 


Long-Term  PAYOFF:  Rigorous  methods  for  design 
and  verification  of  distributed  systems-of-systems  in 
dynamic,  uncertain,  adversarial  environments 

OBJECTIVES 

•Specification  language  for  continuous  &  discrete 
control  policies,  communications  protocols  and 
environment  models  (including  faults) 

•Analysis  tools  to  reason  about  designs  and  provide 
proof  certificates  for  correct  operation 
•  Implementation  on  representative  testbeds 


FUNDING  — Show  all  funding  contributing  to  this  project 


•  Specification  and  reasoning  using  guarded  command 
languages,  temporal  logic  and  graph  grammars 

•  Sum  of  squares  analysis  for  certificates,  invariants 

•  Model  checking/theorem  proving  for  hybrid  systems 

•  Extensions  to  probabilistic,  adversarial  and  networked 


FY06  FYQ7  FY08  FY09  FY10  FY11 
AFOSR  Funds  417  1000  1000  1000  1000  593 

Boeing  310  390  390  370  390  [390] 

DARPAGC  1200 

TRANSITIONS 


operations 

ACCOMPLISHMENTS/RESULTS 


•  Application  to  autonomous  driving  (DGC07) 

•  Tools  inserted  in  MuSyC  (DoD  6.2  +  UTC,  Raytheon) 

•  Software  toolkits,  workshops,  and  personnel  transfer 


•  Foundations  of  local/global  properties  of  computation 

•  Embedded  graph  grammars  for  cooperative  control 

•  Lyapunov-based  verification  of  temporal  properties 
•Receding  horizon  temporal  logic  planning 

•  New  formulations  of  game  theory/stochastic  problems 


STUDENTS.  POST-DOCS 

2006-09:  24  graduate  students,  5  postdocs,  4  undergraduates 

LABORATORY  POINT  OF  CONTACT 

Dr.  Siva  Banda,  AFRL/RBCA,  WPAFB,  OH 


